Goose protocol

GC'12 Workshop: Smart Grid Communications: Design for PerformanceExploiting the GOOSE Protocol: A Practical Attack on Cyber-infrastructure Juan Hoyos, Mark Dehus, Timthy X Brown Interdisciplinary Telecommunications Program University of Colorado Boulder Boulder, Colorado, USA {Juan.Hoyos, Mark.Dehus, Timxb}@colorado.edu Abstract—Security issues for the power industry have become increasingly relevant during the past decade as the industry has relied more and more on communication protocols. The Generic Object Oriented Substation Events (GOOSE) protocol is defined in IEC 61850 for the purpose of distributing event data across entire substation networks. In this paper we demonstrate a practical attack by exploiting weaknesses in GOOSE. We also show that this attack can have devastating consequences on the reliability of the grid and is capable of creating a widespread interruption in power generation and distribution. Keywords; cybersecurity; GOOSE messages; IEC 61850; substation security; critical infrastructure. I. INTRODUCTION Security issues for the power industry have become increasingly relevant during the past decade. For more than 20 years almost all communication between devices inside and outside of power substations has been implemented using copper wires and legacy communication protocols [1]. There were many disadvantages to this approach, including long implementation schedules, the high cost of copper wiring, the few parameters available for monitoring, and the need for ongoing maintenance. IEEE 802.3 (Ethernet) based systems have overcome some of these problems by applying the same LAN solutions that have worked for more than 25 years in the Information Technology (IT) industry [2]. While the transition from analog to digital data acquisition allows the power industry to innovate with new communications technologies and protocols such as IEC 61850, it also poses new cybersecurity problems that can affect the stability and reliability of the power grid [3]. IEC 61850 provides a model and rules for organizing data in a manner that is consistent across all types of electronic Intelligent Electronic Devices (IEDs). Generic Object Oriented Substation Events (GOOSE) form part of the IEC 61850 protocol, embedding select logical and analog data such as circuit breakers status, circuit breaker control, interlocking, general alarms, and power transformer’s temperature that are transmitted in Ethernet packets [4]. This paper demonstrates how to create computer malware that can capture, alter, and re-inject GOOSE messages into the network. By taking advantage of existing security holes in the GOOSE messaging protocol, we show how a malware could be used to significantly disrupt the power grid and highlights the need to apply security measures in this area. The next section presents an overview of cyber-security for critical infrastructure, providing a brief history of cyber- 978-1-4673-4941-3/12/$31.00 ©2012 IEEE security and the initiatives, which lead to the creation of current standards. Section III explains the main concepts of GOOSE and how to exploit weaknesses in its design to perpetrate an attack. Section IV demonstrates a practical attack against substation equipment. Section V and VI presents possible solutions to mitigate risks and conclusions. II. CRITICAL INFRASTRUCTURE PROTECTION A. History, Agencies, and Standards. Critical Infrastructure (CI) protection is becoming an increasingly important topic internationally, and particularly after the events of September 11, 2001 in the United States. Federal laws mandate that any virtual or physical assets whose incapacity or destruction would have a debilitating impact on security, national economics, or national public health or safety must be considered CI [3]. The Department of Homeland Security (DHS) defines a total of 18 sectors for the U.S. and each sector is assigned to a specific government agency, which is responsible for identifying risks and promoting rules or standards to protect its assigned CI [5]. For energy-related CI, the Department of Energy (DoE) has been assigned to identify and promote best practices and methodologies for protection and continuity of energy services. The DoE has designated the North American Electric Reliability Corporation (NERC) as the organization responsible for assuring security of the power grid and elevating awareness and understanding of threats and vulnerabilities to utility assets, systems, and networks. In May of 2006 NERC released a set of Critical Infrastructure Protection (CIP) Cyber Security Standards, CIP-002 through CIP-009, applicable to users, owners and operators of the power grid. The CIP standards are designed to minimize the risk of possible cyber attacks using the communications infrastructure, as well as potential physical attacks either of which compromise the integrity of the grid [6]. There are other organizations such as the British Standards Institution (BSI), the National Institute of Standards and Technology (NIST), and the International Society of Automation (ISA) that are working on standards for cyber security for automation processes. B. Cybersecurity for IEC 61850 In the early days of IEC 61850 there were no recommendations for security on the layer 2 multicast GOOSE and Sampled Measured Values (SMV) messages. The vulnerability was considered to be low because the messages were running in a confined network inside a substation protected by the physical 1508 The IEDs are fan-less.3ms). As a result.0 GHz processor used in this table and times will be even longer.7 4. This provides security enhancements not only for Manufacturing Message Specifications (MMS) but also for GOOSE messages and SMV messages. …. Therefore. For instance. IEC 61850-8-1 describes a type of communication based on a publish/subscribe model. III. After the first event message the publisher retransmits (T1.1 5. In November 2011 Siemens published a patent to implement a new method of group key generation and management for the GOOSE model that could help to address the need for low latency security [15]. or insects.0 GHZ PENTIUM III PROCESSOR FOR DIFFERENT SCHEMES [13] Algorithm RSA DSA ECDSA F2160 ECDSA Fp BLS F397 Generation Time (mSec) 7. The time for a digital signature to be generated at the sender and verified at the receiver is shown in Table I as well as other similar algorithms such as the Digital Signature Algorithm (DSA). Shamir and Adleman (RSA) algorithm with 1024-bit keys within 4ms [11]. which increase the delay or latency.2 5. To exchange these datagrams.5 Verification Time (mSec) 0. 32-bit Intel and ARM cores are generally incapable of computing and verifying a digital signature using the Rivest. Part 6 of the IEC 62351 standard covers data and communication security for IEC 61850 peer to peer profiles. The digital signature is created via mathematical techniques to validate the authenticity of a digital message using asymmetrical cryptography. EXPLOITING THE GOOSE PROTOCOL A. In the IEC 62351 standard part 6 states “for applications using GOOSE and IEC 61850-9-2 and requiring 4ms response times. This kind of scheme uses public and private keys to authenticate the message. This is not true today when new applications are running GOOSE messages outside substations for widearea transmission protection schemes and distribution automation schemes [7] [8]. the Elliptic Curve DSA (ECSDA). encryption is not recommended” [9]. IEC Technical Committee 57 (TC57) in the Working Group 15 (WG15). there are many IEDs already installed in the market with slower CPUs. GOOSE messages are periodically sent through the network. substations have become more connected to external networks and employ wireless networks with the potential to expose their IEC 61850 network to outside attackers. The public key is shared with everyone to decrypt a hash of the message. Though IEC62351 addresses many security issues. and part 4 specifies the mechanism of strong authentication to be utilized with MMS profile. from 2011 through 2013. New technologies like multiple cores may enable faster times within the same heat dissipation budget. this time is not enough to comply with the 4ms time constraint. but is typically implemented following an exponential back-off. and disallowed after 2013.3 networks. One study conducted by Cambridge University and ABB in 2010 showed that processing (encoding and decoding) digital signatures required intense CPU consumption. Shacham (BLS) scheme [13]. C. Based on the ambiguity of authentication or encryption some manufacturers do not implement any security in their IEDs. many embedded processors are slower than the 1. TABLE I TIME TO GENERATE AND VERIFY A DIGITAL SIGNATURE ON A 1. and intrusion detection [9]. until it reaches the stable retransmission 1509 .0 Bandwidth (bits) 1024 320 320 320 170 The central processor unit (CPU) embedded in the IEDs has some restriction due to the power dissipation. Although RSA is the fastest (8. IEC 61850-5 specifies a 4ms maximum delay for class P1 type 1A GOOSE messages related to breaker trip functions [12].network isolation. If an event occurs a message is generated immediately. problems remain. spoofing. Further. After 2013 it is recommended to use 2048-bit keys. multicast configurations and low CPU overhead. Currently neither the IEC 62351 recommendation nor proprietary manufacturer solutions have been implemented extensively to improve the security of GOOSE messages. and the Boneh. deprecated.2 23. installed commonly in closed cases to avoid environmental issues like dust. The Problem of Encryption & Message Authentication versus Latency Latency is one of the primary barriers to implementing security for peer-to-peer communications between IEDs. However. The IEC 62351 standard defines a mechanism that requires low computational power to authenticate the data adding a digital signature. which will make the 4ms time restriction more difficult to meet [14]. while the private key is kept private by the publisher to sign the message. Thus. prevention of eavesdropping. At present it is difficult to reconcile the needs for security and low latency. T2. In 2007 the same technical committee that develop the standard IEC 61850. The objectives of IEC 62351 are authentication of data transfers through digital signatures. where one IED (the publisher) creates a message that is delivered to a group of destination IEDs (the subscribers) simultaneously in a single transmission from the source [4]. These definitions provide manufacturers and integrators the tools necessary to implement security for IEC 61850 and the GOOSE stack [10]. When there is no change in data set values. TN) with a variable time separation between messages that is not defined by the standard. Lynn.9 4.0 3.4 4. part 3 defines the communication network and system message authentication profiles including TCP/IP. arguing that any security mechanism will increase the processing time decreasing the speed of action against a fault. water. Normal GOOSE Function The main objective of GOOSE messaging is to provide a fast and reliable mechanism that allows the exchange of data between two or more IEDs over IEEE 802. In fact NIST in a report of 2011 qualified the RSA 1024-bits keys as acceptable through 2011.9 7. 1). released the IEC 62351 standard to provide security to a number of TC57 protocols including IEC 61850 GOOSE messages. the retransmission time between messages is T0 (see Fig. are avoided. encryption or other security measures. Meanwhile there is little clarity on how to implement security for fast GOOSE messages without degrading the actual performance of the IEDs. Nevertheless the standard does not say anything about authentication and its limitation. a count of the number of times that the configuration of the Data Set has been changed. DatSet is a string that describes the name of the Data Set. In this paper. There are several layer 2 attack techniques that could be applied to GOOSE message since the underlying IEC 61850 network is Ethernet. 1510 . T is the “time-stamp” at which the attribute StNum was incremented. The VLAN priority tagging is IEEE 802. Measured changes in generation levels on one side of the system must affect load balance on the other side of the system over 150 miles away in less than one second. causing a circuit breaker to miss an operation. ConfRev is the “Configuration Revision”.Fig. the Palo Verde Nuclear Generating Station (PVNGS) and California ISO use GOOSE messaging between their substations to create a Remedial Action Scheme (RAS) on the Salt River Project. the first two fields. Attacks on Ethernet include: ARP attacks. with details of the equipment and scripts intentionally omitted. private VLAN attacks. or causing physical damages in the field devices like power transformers or circuit breakers. The Test field indicates if the message is a test or not. VLAN hopping attacks. The Reserved1 and Reserved2 fields are reserved for future standardized applications and are set to 0 by default. The last two fields are the Application PDU (APDU) length and finally the frame checksum sequence [4]. spanning-tree attacks. StNum is the “State Number”. Technical Details The following attack was implemented as an ethical demonstration of security vulnerability in the Digital Energy Laboratory at the University of Colorado Boulder. and the structure of protocols in the OSI model are such that the upper layers in the model could be unaware that layer 2 has been compromised [17]. engineers. Attack Vectors and Techniques An attack is defined by the motivation. preamble and start of frame. The fourth octet could be 01 for GOOSE. An attack could be created using a variety of techniques described above. A similar attack vector was used to allow the Stuxnet worm to gain access for an attack on Siemens industrial software and equipment in 2010 [16]. VLAN trunking protocol attacks. The main purpose of the GOOSE message is to carry vital information (alarms. As a specific example. or manufacturer support teams who access a GOOSE network and are unknowingly carrying the malware. Any alteration of these values could create an automation breakdown. Such equipment can be infected with malware at the time of manufacture and installed directly in a substation.1Q. bypassing physical protection and providing the malware with a host. If T0 is exceeded. The source address is a unicast MAC address. vectors. The length indicates the total number of bytes in the frame less eight bytes. MAC flooding attacks. and the techniques. GoID is the IED sender identifier. multicast brute force attacks.1Q/Nested VLAN attacks. identity theft. frequency excursions. the outage could trigger cascading failures and become sufficiently large so as to affect complete cities or states. Attack vectors enable exploitation of the system vulnerabilities. C. The Ether-type of a GOOSE message is 88-B8. including human elements. and control) between devices. The attack vector is a path or means by which an attacker gains access to a computer or network in order to achieve their ultimate goal. B. Another attack vector is through manufacturing facilities of producers of IEC 61850 IED equipment or other network equipment. TimeAllowedToLive is the time that the receiver has to wait for the next message. NumDatSetEntries is the “Number of Data Set Entries”. more than one distribution or transmission circuit could be affected. If the same attack involved transmission or generation circuits. The last two octets of the six are used as individual addresses for each GOOSE message. MAC spoofing and double-encapsulated 802. containing an incremental counter for each time a GOOSE message has been sent. status. The Application ID is 00. A similar attack could move from the lab to the field in a matter of days. 1. the number of elements that comprise this specific data set [4]. 02 for GSSE. An attack vector can come from malicious persons among cleaning crews or substation personnel that have access to the IEC 61850 network. If the attack compromises a bus bar or differential protection. The destination corresponds to an Ethernet MAC multicast address. are equal to the first two fields of an Ethernet frame. Access to the network could be obtained via installation of malware on the computers of maintenance operators. or 04 for multicast SMV. BUILDING A PRACTICAL CYBER ATTACK A. a counter that increments each time a GOOSE message has been sent with any change in the values of the Data Set. The attacks that we describe can be hosted on even simple devices. IV. Attack Consequences There are several consequences if a layer 2 attack is executed in a substation. The SqNum is the “Sequence Number”. As a result one part of the city or region would suffer an outage. we assumed a motivated attacker and focus on the attack vectors and techniques. the subscriber could declare a problem in the communication link or in the GOOSE message [4]. The GOOSE messages are implemented in a “flat” Ethernet Ring and carry analog and digital values to control the load at both sides. A GOOSE attack that appears to changes the values of generation levels could produce voltage dips. GOOSE transmission [4] time T0. The GOOSE datagram has twelve fields that define the Protocol Data Unit (PDU). IEC 61850 has been assigned Ethernet addresses that start with the three first octets (01-0C-CD). bypassing interlocks. The APDU has ten fields described here. and cascading problems throughout the Western Electricity Coordinating Council (WECC) region [8]. which means that it is out of sequence. keeping the sequence for the different counters and timers. After using Scapy to monitor all physical ports and capture the raw packets. etc. one RuggedCom 2100 switch. 2 shows how the attacker has an opportunity between each valid message to insert the spoofed messages with incorrect data. owing to the latency issues on IED devices as previously detailed. it can decode the message to find and change the Data values. dissect. The lightning bolts in the Fig. C. where the topmost and the bottommost arrows are the true messages. Second. Fig. decode the GOOSE message using Abstract Syntax Notation One (ASN1) and Basic Encoding Rules (BER) [18]. such as GOOSE messaging between substations using Layer 2 tunneling and wireless communications inside the substation.5Ghz Intel core i5 within a virtual B. These capabilities allow the construction of tools that can probe. The Results of the Attack Figure 4 shows a Wireshark capture. However. It shows the change of stNum. Wireshark capture showing spoofed GOOSE messages The process of modifying data is illustrated in Fig. 5. Yersinia. 1511 . The last part of the code generates the spoofed messages and sends them through the network with the same source and destination MAC address as the valid user. The attacker created the next message in the middle. In Fig. monitor packets on the physical ports looking for GOOSE messages based on Ether-type identification. change the values inside each data set. The leftmost message is a valid message. 5. Fig. This attack was created using Scapy in conjunction with Python scripts. which resets the SqNum in the cloned packet. There are several programs that can be used to do this: Scapy. Second. the script looks for three specific fields: stNum. EtterCap. one Linksys wireless router. 2. The attack was successful in all scenarios and we describe one in detail below. which shows the variable values in three successive GOOSE messages measured by the laptop at the RuggedCom 2100 in Fig. Fig. are the spoofed messages. In addition new scenarios were created. 3. Looking at the time stamp of the packets 193 and 195. After decoding. 3 represent the attack points. GOOSE exploit Fig. one RuggedCom RS900. Building the Script The first step to carry out the attack is to identify GOOSE messages in the network. it is necessary to decode the GOOSE message using the definition of ASN1 described in the IEC 61850-8-1. and the Boolean values inside the data sets. encode the packet using BER and send the packet through a physical port cloning the source MAC address. Macof. The script ran on a MacBook Air 1. Network Diagram The attacker does not directly know the high-level meaning of this GOOSE message (e. A practical GOOSE message spoof attack can be divided into four steps. The rightmost message is the next valid message. we implemented the above steps on the laptop described above. To show the attack can be successful. forge and send network packets. 3. We note that the equipment did not generate any error or warning that the messages are out of sequence. This keeps on the old number sequence. The four middle arrows. the code parses the Ethernet frames looking for the specific GOOSE Ether-type. which represents a typical substation automation architecture. Scapy is also a Python program that enables the user to sniff. events 194 to 197. scan. Wireshark. The schematic in Fig. that this is a command from a circuit-breaker controller to a circuit breaker). where the messages are sent at 1 second intervals during steady state. or attack Ethernet networks. The hardware used for the test were two (2) Cisco 3600 Routers. For any Boolean value inside the data-set. GOOSE attack schematic Our attack uses a GOOSE exploit via spoofing where an intruder publishes false layer 2 packets and devices on the receiving side mistakenly believe they are receiving valid (true) packets sent by a trusted or secured entity. which in this case is 0x88B8. 3. the attack could inject hundreds of false GOOSE messages before the next valid datagram reaches the IED. TCPDump. the time to generate spoofed GOOSE messages is less than 1ms. and four IEDs. This attack is possible due to the unencrypted & unauthenticated nature of GOOSE messages.g. Fourth. This means that in a default GOOSE configuration. First. 4. if the value is true the code overwrites a false and vice versa. To prove the vulnerability of the GOOSE networks our attack script uses the network configuration shown in Fig. sqNum. Third. Cain & Abel.machine running Xubuntu OS. National infrastructure protection plan. May 2 2009.2006. which again deasserts the output. “Information analysis and infrastructure protection”. 2005/2006 IEEE PES. “Comparing the reliability of Ethernet network topologies in substation control and monitoring networks”. These practices include but are not limited to: set a dedicated VLAN ID for all trunk ports.2008. Power Systems Conference: Advanced Metering.selinc.nerc. "Securing IEC 61850". data and communication security.4596335F [11] Alvarez. Communication networks and systems in substation -. NERC Implementation plan for cyber security standards CIP002-1 through CIP-009-1. “Implementation and operational experience of a wide area special protection scheme on the SRP system”. utilities and power companies must implement not only physical but also cyber measures to prevent this kind of attack. 376 – 383. 6 shows the Sequence Event Recorder (SER) on the IED. 2008. partnering to enhance protection and resilience.S. To verify this has an effect.5. Available: http://www.1109/TDC. This SER monitors the physical outputs and generates a time stamp of output events. IEC 61850. 6. “The Protection of Substation Communications”. Therefore additional security measures must be implemented. BIBLIOGRAPHY [1] R. L. use a VLAN other than the default (VLAN 1). Solutions like adding an external security module to network interfaces in each IED adds expense and additional failure modes. Available: http://www. SEL. doi: 10. Another 995ms later the next true message arrives. WA. pp.pdf [3] Department of Homeland Security.scribd. An alternative approach could use switches and routers that understand the IEC 61850 protocol and inspect GOOSE message content. Brunello. Available: http://www. VII.gov/xlibrary/assets/NIPP_Plan. In this approach. the attacker changes the Boolean data value from False to True. Goraj. PacWorld Conference. We demonstrated that a simple attack enables malware to control IEC 61850-enabled control equipment. which have valid credentials. Dolezilek. the effect of this action is to cause the IED to trip the relay. McGhee. IEC standard 62351. doi: 10. “Overview of 61850 benefits”. Meanwhile. [Online]. All of these techniques are well documented and known by IT staff. 2007. Protection. Some classical IT techniques to prevent Ethernet layer 2 attacks could be applied to protect GOOSE messages. technology opens the door to new research.com/techpprs/6103. 21-24 May 2006.1668522 [2] G. The relay in a real substation could control a circuit breaker or switch. Lipes. [Online]. of S4 2010: SCADA Security Scientific 1512 . RES 543-2011. Adamiak and G.285384 [9] IEC. E. HOW TO MITIGATE THIS KIND OF ATTACK Although some attack vectors could be reduced using physical security. 2006.dhs.pdfhttp://www2. [5] Department of Homeland Security. Available: http://www2. Fig. Transmission and Distribution Conference and Exhibition. Fig.P. VI. This control has the potential to cause outages that range from a single feeder on up. create an access or prefix list based on user/device credentials. Power systems management and associated information exchange. set all ports to non-trunking. Proc.com/doc/78041627/74994185-Iec-61850-Goose-OverWimax-Pac-World-2011 [8] M. it is of vital importance that the configuration of the network switch and routers be permitted just for trusted traffic and users inside the substation network. 2006. Technical Applications Document. 145-158. Mackiewicz.pdf [4] IEC. generating the event 2. 2011. Critical Infrastructure Information Act of 2002.com/fileUploads/File/Standards/Revised_Implementati on_Plan_CIP-002-0 [7] M.8. and K.com/techp prs/6103. For trusted employees or compromised equipment inside the facility.Specific communication service mapping. While there is no clear definition about how to implement security for GOOSE messages. After 5ms a spoofed message is processed at the IED asserting the output and generating event 3.pdf [6] NERC. [10] H. avoid the use of shared Ethernet such as WLANs or hubs [19].1109/PES. there are others that are more difficult to control because they use trusted personnel or equipment.gov/xlibrary/assets/CII_Act. July 2008. the network could discard or generate alarms when it detects logically inconsistent messages (such as packets with the same MAC address coming from different ports on a switch or messages not consistent with the IEC 61850 configuration). Event 4 (number on the left) shows the times when the valid message instructed the IED to deassert output 101. Pullman. McGrath. “IEC 61850 over Wimax for fast isolation and restoration of faults in distribution networks”.Conversion and Delivery of Electrical Energy in the 21st Century. To prevent insider attacks it is necessary that end devices have security algorithms implemented to encrypt packets or add a digital signature so that they cannot be monitored by the attacker and authenticated so that spoofed packets cannot be sent.1109/PSAMP. April 2000. Available: http://es. These techniques could be added just to the switches and some key equipment in the Ethernet to provide some limited protection. Falk. 1-3. K. As noted in Section II-C. Control. and Distributed Resources. most of the traditional IT techniques would be ineffective.dhs. legacy and low-capability IEDs cannot support these cryptographic algorithms. pp. [Online]. Hansen. FURTHER WORK The lack of clarity in the standards about how to implement the security for IEC 61850 layer 2 messages with the current CONCLUSION ACKNOWLEDGEMENT This work was supported by Department of Energy grant DEOE00436 and by Empresas Públicas de Medellín E. Scheer and D.selinc. and J. In this case. doi:10. pp. 20-24. disable unused ports and put them in an unused VLAN.2006. IED output status V. At this level using the measures indicated the network is somewhat protected against intrusion originating from outside of the organization. We describe several techniques for improving security not only for physical but also networking self-configuration measures. Power and Energy Society General Meeting . Communication. Additional research could focus on security measures and standards that could be backwards compatible allowing for thousands of IEDs to be able to run layer 2 multicast protocols securely. Senecal.com/web/ME/exposaudi2009/assets/docs/layer2_attack s_and_mitigation_t. January 2010.” Proc. Available: http://www. Available: http://www.pdf S. Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER).2 December 2005. IEC standard 61850.pdf Elaine Barker and Allen Roginsky.cl. Computerworld. USA Available: http://www. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. International Patent WO2011/141040A1. Seewald. 2002 [Online]. McMillan. 2008. Specific communication service mapping. NIST Special Publication 800-131A http://csrc.ac. Cisco press. Fries and M. Matt. Florida http://www.cisco.690-0207.com/s/article/print/9185419/Siemens_Stuxne t_worm_hit_industrial_systems [17] L.pdf [19] Yunsuf. “Method of group key generation and management for generic object oriented substation event model”. pp.gov/publications/nistpubs/800-131A/sp800-131A. CCIE profesional development series network security technologies and solutions.int/ITU-T/studygroups/com17/languages/X. 221. Miami.uk/~sf392/publications/S4-2010.dtic. “The cost of protecion measures in tactical networks.pdf [18] ITU. and defending against layer 2 attacks” Cisco Expo 2009. “Siemens: Stuxnet worm hit industrial systems”. [Online].609. preventing. March 20 2008. Information technolog ASN.5. Available: http://www.cam. of the 24th Army Science Conference 29 November .mil/dtic/tr/fulltext/u2/a432010. September 14 2010 [Online].itu.nist. 1513 . Brian J.pdf IEC. ISBN 1-58705-246-6.[12] [13] [14] [15] Symposium. [16] R. 2011.computerworld. ITU Standard X.1 encoding rules: Specification of Basic Encoding Rules (BER). “Understanding. Communication networks and systems in substation. Orlando. November 17.